Securosis

Research

DHS raises the deflector shields

All you IT professionals out there who want to divert attention, give your exec’s a warm and fuzzy feeling you’re saving money and making you’re users experience better, just do what the DHS did. Margaret Graves, DHS deputy CIO, pulled a page from Star Trek and flummoxed Congress with some Techno-Babble. From [Network World](http://www.networkworld.com/news/2013/032013-dhs-shifting-to-cloud-agile-267910.html): > At a hearing before the House Committee on Homeland Security on Tuesday, a DHS IT official gave lawmakers an overview of agile development methodologies, one of the tools that the department is using to fix its IT project management. Agile came up after U.S. Rep Ron Barber (D-Ariz.), a former staffer in Rep. Gabrielle Gifford’s office who won that seat after Giffords resigned, asked what DHS was doing to ensure that its IT systems met user needs. Margaret Graves, DHS deputy CIO, said the department is using agile methodologies to create user stories to help shape the systems. In agile development, user stories can be short and informal descriptions of some of the functions users would like to see. She blinded him with science! Throw out a ‘solution’ that sounds good, which lots of people ‘in the know’ approve of, but it too esoteric or complex for critics to understand. In this case it’s Agile development on Cloud resources tuned by User Stories. It’s a red-herring trifecta! I’d be a hypocrite if I said I’d not used this IT-Judo technique before. It works! It always worked on Star Trek. Get in trouble and just re-phase the shield generators and send out a broad spectrum particle beam to detect cloaked vessels. Just so happens the technique works in real life too. All kidding aside – Agile is a great development _process_ as the approach forces simplification of grand projects into simple tasks. And it intrinsically offers the benefits that you are always be working on the most important part of the project – or at least a portion that can be delivered within the coming sprint. But Agile pushes a lot of the burden of successful implementation onto the project manager. PM’s take more control over product and service enhancements, really steering the course of development through prioritization. But _if your product management already sucks, you’ll still fall off the tracks with Agile_. You’ll just do it faster. Dare I say faster than an anti-matter explosion from a warp core breach. And if you don’t understand what that means, fear not, neither does U.S. Representative Ron Barber (D-Ariz.). Chalk one up for Ms. Graves of the DHS. Share:

Share:
Read Post

Incite 3/20/2013: Falling down

I read a profile of Spanx’s Sara Blakely in Forbes Billionaires issue, and the tip that really resonated was that at dinner each night, her father would ask each child what they failed that day. Wait, what? He would be disappointed if the kids didn’t fail something because it meant they weren’t stretching far enough out of their comfort zone. Damn, I wish I thought of that. There is an unnecessary stigma about failure and it’s counter-productive. This is programmed into our heads from a young age. “Winning isn’t everything, it’s the only thing.” Hyper-competitive helicopter parents screaming at their kids to win their 4-year-old T-ball game. I have to say the Boy competes in both lacrosse and tennis, but he doesn’t much care whether he wins or loses. He just moves on. He certainly didn’t get that trait from me – I was very competitive growing up and hated to lose at anything. But I admire it in him. As a result of my unwillingness to screw up, I didn’t really try enough new things. I would compete when I knew I had a very good chance to win. Looking back, it would have served me much better to have tried stuff and made mistakes and realized that I could fall down, and it would be okay. Think about it – we fail every day at all sorts of things, both little and big. Entrepreneurs talk about failing fast and pivoting to the next idea quickly. They fall down but reload and move on. I love the guys who breathe their own exhaust and think they are all who because they joined a company like Google or Facebook early enough to make some money, but not so early that they had much to do with the company’s success. These folks think it was them, while in reality they were lucky. To be fair, these lucky few do learn from being around success. Some can parlay that into success in their next venture. But most don’t. The folks who got blown out are more interesting. As one of them I can tell you that I learned a lot more from failing. In the security world a breach occurs when something fails. Some of the small-minded clean up the mess and move on. They don’t spend enough time trying to figure out what went wrong. They hope the problem will go away. It won’t. It never does. They should do a post-mortem. They need to identify what didn’t work and fix it. An organization’s culture must allow for mistakes, though it’s realistic to expect employees not to make the same mistake twice. I am pretty good about telling my kids that it’s okay to make mistakes. As long as they learn from them. So when they have a no good, horrible, very bad day, messing everything up, I always ask what they have learned. Usually they can tell me, but if not I’ll use it as a teaching moment to explain what they could do differently next time. Ultimately I try to make it clear to them that it’s okay to fail. Really, it’s okay. As long as they get back up and jump into the mix. –Mike Photo credits: Oops! “This Was NOT What I Intended!” originally uploaded by Bridget Coila Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading UK on April 8-10. Sign up now. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Email-based Threat Intelligence Quick Wins Analyzing the Phishing Food Chain Industrial Phishing Tactics Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Vulnerability scoring snoring: I have to admit I have never been a fan of generic vulnerability scoring because it doesn’t take into account the context required to understand the impact of the issue on your network. It’s nice to see Tyler Reguly of nCircle make the same point. He says it pretty bluntly: “The current state of vulnerability scoring is useless. With the frequency of vulnerability disclosure and the number of vulnerabilities patched in products, a bucket consisting of High, Medium, and Low tells me nothing.” Back in Vulnerability Management Evolution I talked a lot about how prioritizing what to do is the key value of these platforms. Tyler then goes on to talk about risk scoring, which adds a few key attributes like exploit availability and access to the system. Right – if you can’t exploit the vulnerability or get to the system, your urgency score needs to drop. Period. – MR SCADA chum: Even today we still run into far too many Operational Technology (OT, as opposed to IT) people who like to pretend they are still safe behind their firewalls. Or that their systems are too specialized for Internet attackers to do anything with, even if they do get in. New research by Trend Micro shatters those misconceptions. The research team put up 3 honeypot networks designed to emulate real utility company networks, and watched as they were hit with 39 attacks from 14 nations (guess who came first?). This is merely one more in a series of wake-up calls, and you can bet that these sorts of results are driving more of the cybersecurity activity in DC than the more-public IP theft. – RM Right idea, wrong direction: This attacks to critical infrastructure story is making the rounds as news. But this is the same story we heard for years about SCADA; vulnerable – we know. But why is it an issue now, and why is it any

Share:
Read Post

The World’s Most Targeted Critical Infrastructure

Microsoft confirms ‘high-profile’ employee Xbox Live accounts hacked Major vulnerability in EA’s Origin platform lets hackers overtake PCs Anyone surprised? Games made an estimated $25.1B in 2010 in the US alone. This is an industry under constant attack – just ask Sony. I’d love to learn more security lessons from them. Share:

Share:
Read Post

When Bad Tech Journalism Gets Worse

Writing is hard – I get it. Tech writing is hard – I get it. Tech journalism is hard, especially when you need to translate complex technological issues into prose that the common reader (depending on your demographic) can understand. Writing about security for TidBITS and Macworld for the past 6 or so years has been an amazing educational experience as I have had to learn exactly how to walk this tightrope and explain things like memory parsing vulnerabilities and ASLR to consumers. So it’s hard. But that isn’t an excuse for irresponsible shoddiness or laziness. Then I saw this on Twitter today: Don Reisinger at CNet published an article today that essentially accuses one of the stalwarts of the security industry of engaging in illegal activity. Gordon Lyon, also known as Fyodor, wrote nmap (among other accomplishments). He reposted an older Full Disclosure email by some researchers who created a botnet out of over 400,000 Internet connected devices. Reisinger? He read that post, assumed Fyodor did the work, wrote an article about it without fact checking or interviewing anyone, and in that article stated that Gordon hacked those devices for “benign research”. But that would be very illegal. And Fyodor had nothing to do with it. Reisinger wrote his article based completely on a repost of an email to Full Disclosure. That’s lazy, shoddy, and irresponsible. Don might be a good guy, and might mean well, but he needs to learn that this sort of ‘journalism’ isn’t acceptable. CNet needs to require at least some semblance of responsibility from their writers. Look, we know half the stuff posted on most tech sites today is rewritten press releases or single-sourced ‘interpretations’ of someone else’s blog post or article (without any additional analysis, which could make it fine). But an article like this actually meets the legal definition of libel (rough guess on my part). I work with some amazing online writers. I have seen inside publications, and know how the editing process works. You can do better CNet, and plenty of other organizations manage to do so while remaining profitable. Update: Fyodor posted a response to the article with a perfect quote: Since he found the full-disclosure post on my mailing list archive site, clearly I must be the hacker :). This has got to be the most bone-headed CNET move since they released the trojan Nmap installer on CNET Download.com. Share:

Share:
Read Post

If you don’t know where you’re going…

How will you know when you get there? That’s the point our pal Kevin Riggins made during his first RSA Conference talk. He wrote up the talk and allowed it to be posted on the Symantec blog. Kevin uses the metaphor of the Winchester Mystery House as a clear (and rather painful) analogy for how far too many people operate their security environments. In summary, someone with a lot of money decided to follow an unusual belief that led to 38 years of perpetual building… without a plan. Does that sound eerily familiar? Oh, but it does. Kevin then goes on to espouse the benefits of a security architecture as a way to structure security activities. I’ll take this one step further and say that the security architecture is an aspect of a broader security program. And if a security program isn’t well defined and accepted by senior management, the architecture isn’t going to help much. Kevin does talk a bit about some programatic aspects, but doesn’t quite say security program, and I think that’s an issue. Of all the things we can do as information security professionals to help the business, understanding their goals, drivers, and strategies will arguably gives us the biggest bang for the buck. If nothing else, it shows the business that we are engaged in what they want to achieve. He does talk about the need to understand the business and address business issues (which is what I call the “security business plan” aspect of the security program, and it is critical), but that’s not an architecture to me. Maybe I am just getting hung up on the words, but I believe an architecture is an aspect of the program, not vice-versa. So get your security program in place; then things like architectures, detailed designs, implementation plans, milestones, dashboards, and reports follow. But without a program, what you do every day will be a mystery to senior management. And you don’t have 38 years to try to tip the karmic forces back in your favor, like Sarah Winchester had. Photo credit: “Dome Plan Drawing” originally uploaded by Pat Joyce Share:

Share:
Read Post

The Right Guy; the Wrong Crime

Internet troll “weev” sentenced to 41 months for AT&T/iPad hack Weev is a total sociopath (not just a troll), and I have no sympathy for him. He wouldn’t know altruism if it kicked him in the nads, and I have little doubt his goal was to harm AT&T with his discovery. But, by all appearances, this is a weak case and a stretch of the Computer Fraud and Abuse Act with consequences not only for legitimate security research, but for Internet use in general. But don’t make him a martyr or an antihero. Weev is vile scum, who appears to be getting off on all the attention. If he wins on appeal he is bound to end up in jail sooner or later, but at least then it will be for a real crime, and hopefully will not bad establish case law with chilling effects. Share:

Share:
Read Post

New Job Diligence

I am pretty upfront about my turbulent job history. Some of the issues were due to not doing enough homework up front before taking a job. But as I look back I am not sure I would have made different decisions about which jobs to take even if I had done more homework. A post at SCMagazine by Justin Somaini makes a couple good points about what questions to ask before taking a CISO job. Understanding a company’s standing is always important. Is the company losing revenue? Have executives and/or board members left? Is the company prime for a takeover? Are competitors dominating the industry? All of these questions help determine a company’s health: a factor that will be critical to know if you’re going to make the right move. While risks can pay off, you want to know what you are getting into. A company in turmoil will be more resistant to funding projects, hiring new staff, or making security a priority. Okay, that’s pretty obvious. You need a shot upside the head with a clue bat if you aren’t really scrutinizing the financials and market position of any potential employer. One of the worst aspects of security groups, let alone IT, is staff management. It is common to have to restructure a team based on skills gaps. So always try to determine how large the team is in relation to the overall company and IT staffing. Typical security groups for companies of 10,000 to 15,000 full-time employees will have 25 to 30 staff. This does not include IT operational teams that I usually leave in a separate group. Is last year’s attrition rate at the typical 10 to 15 percent? Is the staff located in key areas for the company? Are there cascading goals from corporate objectives? Are reviews done quarterly and historically attached to goals? What are the results of the latest employee survey? Has there been a layoff or hiring freeze in the past 18 months? As with financial assets, not having the right human capital will only make your job tougher, so ask the questions. I am not sure you will get real answers to these questions. If you are interviewing for the senior role on any team you should expect the senior management to tell you that you will be able to make the necessary changes to deliver results. Of course you can meet all the folks already on the team, but in my experience everyone is on their best behavior during the interview process. They will blow smoke in your hind section if they think they can salvage their jobs. So you won’t really know what folks can do and the internal douche quotient until you get boots on the ground and dig in. That’s why I highly recommend a rent-to-buy scenario. Take a 3-month consulting gig, with the expectation that things will work out and you’ll become permanent at the end of that probationary period. That mitigates risk on both sides and can prevent serious mistakes. I have a good friend who did exactly this prior to a relocation. Within a month he knew the situation wasn’t a good fit, and he exited gracefully after his contract was up. Let me throw one more point at you. There is no excuse for not making a few phone calls to learn what may not be obvious during interviews. Call some folks who will provide honest answers about culture and work environment. Yes, I’m taking about former employees. It still amazes me the number of folks who do not call me before taking a job I had – working for the same folks. I could have given them an informed perspective on some of the good and a lot of the bad. Of course it’s my opinion, but it’s another data point in a pretty important decision. But go in with your head up. Understand you won’t know everything you need to know. Things will be different. Sometimes you’ll be pleasantly surprised. Other times not so much. Which is part of the game. Photo credit: “Rent-A-Center store” originally uploaded by benchilada Share:

Share:
Read Post

Preparation Yields Results

As a huge NFL fan with the DTs without a game to obsess about each week, I am constantly looking for parallels between football and my daily existence. Adrian talked a bit in one of his Incite snippets last week about how Facebook uses red team exercises to make sure they are prepared for the real thing. Luckily, the answer was yes, because the incident wasn’t real. It was the first of two large-scale red team exercises that Facebook has conducted in the last year. Red team exercises are certainly not a new concept–they’ve been around in the military world for decades and carried over into network security. But few of them are conducted in the way that this one, known internally as “Vampire”, was. McGeehan’s team kept the ruse going for more than 24 hours and kept close tabs on the way that the various participants reacted, communicated and disagreed. The idea, of course, is to prepare the teams for a real-life incident. And this comes back to something we hear in football circles every week. It’s all about the preparation. The teams put the work in (at least the ones that win), and they trust their preparation and just play on Sundays. They are ready and they give themselves a chance to compete. “We’re very well prepared now and I attribute that to the drills,” he said. “I’m not sure it would have worked as well otherwise. It felt like the second time we were responding to it and we were all ready for it. It was a much more calm, smooth response. [The exercises were] an incredible net positive.” The security world is no different. If you spend all day fighting fires and not preparing for incidents, how can you (and your team) expect to perform when the brown stuff hits the fan? You can’t. Which is fine. Though your management may have a different opinion. So you are best off making it very clear that based on staffing, expertise, funding, whatever, certain things aren’t getting done. Rather than Adrian’s call for the proverbial Security Chaos Monkey to be constantly testing your defenses, I prefer to focus on how to behave given the fact that you don’t have the resources to prepare properly for incidents. As I harp constantly, if you want to have any longevity as a CISO (or another senior security role), you had better get good at managing expectations. Of course that may not save you if (when) things go south. But at least you will have made it clear that you did not have the resources you needed, to the person responsible for getting you those resources. I underertand that many proud security folks would rather be caught dead than actually admit they can’t do their jobs. Which is too bad because excessive pride tends to be a major factor underlying high CISO turnover. Photo credit: “Untitled” originally uploaded by dabruins07 Share:

Share:
Read Post

The Dangerous Dance of Product Reviews

One of the things I miss least about doing marketing on a daily basis is product reviews. Of course when you win it’s awesome. You can then puff up your chest and take a victory lap as the sales folks use the review to beat down the competition. But when you lose it totally sucks. And depending on the culture of the company, unless it was a clear and decisive victory, it may be taken as a loss. Which requires damage control, forcing you to spin why the test was flawed. Then you need to question the integrity of the reviewer. That makes you many friends in the media community. Basically you have to figure out a way to make manure smell like roses. And no, it doesn’t usually work. So I wouldn’t want to be the folks responsible for running the NSS firewall test at WatchGuard. They got hammered. You can see the value map by registering on Dell SonicWALL’s site, but you can get the highlights and see WatchGuard’s beatdown in this CRN summary of the report. “Although WatchGuard demonstrated a good level of exploit protection, it was let down by its poor antievasion capabilities and a suboptimal price-performance ratio,” NSS Labs noted in its report. Frank Artes, director of research at NSS Labs, said the company also had some shortcomings to its system management capabilities. The company’s system manager was not as scalable and mature as other vendor products. WatchGuard was the only vendor tested by NSS Labs that was given a “caution” designation. The only vendor given a caution designation. Ouch. So their response is what? Dave Taylor, vice president of corporate strategy at Seattle-based WatchGuard, said the technology is tuned as a unified threat management appliance and not as a firewall. Really? It’s tuned as a UTM and not a NGFW? WTF? He is basically acknowledging that the product isn’t a modern device. Who doesn’t want to buy a modern device? Who wants to buy yesterday’s technology? Spin FAIL. But I am trying to understand why they participated in this test. Clearly, if every other vendor has a product with a modern architecture, and you don’t, the best thing to do is to not participate. But they did and it didn’t end well. Did I mention I don’t miss dealing with product reviews? Photo credit: “62:365 – Taster Testings” originally uploaded by Nomadic Lass Share:

Share:
Read Post

Ramping up the ‘Cyber’ Rhetoric

The rhetoric about cyberattacks is nearly deafening. It seems like my Twitter timeline blows up every day about cyber-this or cyber-that. Makes me want to cyber-puke. Since Mandiant pointed the finger at China everyone seems to be jumping on the bandwagon of tough talk and posturing. Take example #1: The US is now fielding teams to play offense and respond to computer attacks on critical infrastructure. I would like to be clear that this team, this defend-the-nation team, is not a defensive team,” Gen. Keith Alexander, who runs both the National Security Agency and the new Cyber Command, told the House Armed Services Committee. “This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we’re creating are for that mission alone. Uh, this is news? Maybe that there is finally acknowledgement that the US (along with every other first world nation) invests in building cyber-attack capability. I know it’s hard to remember, but a few short years ago there was an uproar when Anonymous documentated that HBGary was proposing to build weaponized exploits. Where’s the uproar now? Oh yeah, now it’s politically correct to defend ourselves. This is media-driven nonsense. I doubt the strategy has changed at all, except maybe accelerated a bit. Though it will be interesting to see if and how sequestration impacts these kinds of investments. Rich recently pointed out that China is fundamentally different because they use military hacking apparatus to help commercial Chinese entities gain intelligence that helps them win big contracts. Obviously Israel’s announcement that their cyber-defense capabilities will be used to protect private Israeli enterprises is different, but it is another clear indication that the line is blurring between the private and public sectors. As it should. The Defense Ministry will set up a new body to support local defense industries in coping with cyber threats, ministry director-general Maj.-Gen. (res.) Udi Shani announced Tuesday. And if you need another data point showing ‘cyber’ is the new hotness, the CEO of BP disclosed on CNBC that BP Fights Off Up to 50,000 Cyber-Attacks a Day. Cybersecurity is a growing issue around the world, not only with companies but with governments,” Dudley observed. “We see as many as 50,000 attempts a day like many big companies … to my knowledge we haven’t had an incident that’s taken away data from us, but we’re incredibly vigilant. Clearly someone is hiding something from the CEO here, but he pulled the plausible deniability card in the form of “to my knowledge…” But if he’s right and they haven’t lost any data that would make them only such company. And before you start bitching in the echo chamber about how the hype is getting in the way of you doing your job because you are being paraded in front of the board and up to the CEO’s office once a week, remember when no one gave a crap about security. It’s always good to be careful what you wish for. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.